<role>
<name>Financial auditor</name>
<assignment>
<policyRule>
<name>excluded-invoice-clerk</name>
<policyConstraints>
<exclusion>
<!-- Invoice clerk role -->
<targetRef oid="82d0d8a6-9459-46e3-87e8-3f469f34fd2d" type="RoleType"/>
</exclusion>
</policyConstraints>
<policyActions>
<record/>
</policyActions>
</policyRule>
</assignment>
</role>
Gradual Enforcement of Policies
Gradual policy enforcement feature
This page describes Gradual policy enforcement midPoint feature.
Please see the feature page for more details.
|
MidPoint contains powerful mechanism of policy rules and policy objects, which can be used to enforce various policies, such as segregation of duty policies. However, outright enforcement of new policies can be very inconvenient and disruptive. As new policy is applied, it is likely that there are existing violations of the policy. If such a policy is immediately enforced, users that are in violations of such policy will be impacted. MidPoint takes policy enforcement very seriously. MidPoint will deny any operation on such user until the user is brought to the state of policy compliance. However, this means that the users are efficiently paralyzed. Therefore, it is much better idea to enforce the policy gradually rather than immediately.
Procedure
Gradual policy enforcement is done in several steps:
-
Policy is defined, usually in a form of policy rules.
-
Action part of the policy rules is set to
record
-
Objects that may be affected by the policy are recomputed.
-
Recompute process marks all objects that violate the policy using object mark.
-
Marked objects are analyzed, using reports, dashboards or simple search in user interface.
-
Policy violations are corrected. This may take quite a long time. The policy is not enforced yet, therefore there will be no obstacle to normal system operation.
-
When all policy violations are eliminated, policy rule action can be switched to
enforce
. -
MidPoint will not allow any new policy violations, strictly enforcing the policy from now on.
Example
This example demonstrates gradual application of segregation of duties (SoD) policy. SoD is a very good example as gradual policy enforcement, as it is very likely that there will be existing policy violations, especially in systems with large user base and large number of roles.
First step of gradual application of SoD policy is definition of SoD policy rule, while setting the action to record
.
In this case we are trying to exclude Financial auditor
and Invoice clerk
roles.
Therefore, there is a simple policy rule in Financial auditor
role that excludes Invoice clerk
role.
The rule has policyActions
set to record
, therefore it will not interfere with operations, it will just record the situation using object mark Exclusion violation
.
Second step is to recompute all the users, to make sure that updated policy is applied.
Users that are in conflict with the policy will be marked by Exclusion violation
mark.
We can use search to locate marked objects.
However, SoD violations have pre-defined widget in compliance dashboard:
The dashboard widget leads to the list of users with SoD conflict. The users can be reviewed, and the conflicts can be corrected one by one. Process of this effort can be monitored on the compliance dashboard.
Once all the violations are addressed, the policy can be changed to full enforcement by changing policyActions
set to enforcement
setting.
<role>
<name>Financial auditor</name>
<assignment>
<policyRule>
<name>excluded-invoice-clerk</name>
<policyConstraints>
<exclusion>
<!-- Invoice clerk role -->
<targetRef oid="82d0d8a6-9459-46e3-87e8-3f469f34fd2d" type="RoleType"/>
</exclusion>
</policyConstraints>
<policyActions>
<enforcement/>
</policyActions>
</policyRule>
</assignment>
</role>
At this point, any attempt to assign conflicting roles ends up with an error. The policy is fully enforced now.
See Also
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.3: Segregation of duties
This page contains: Example of gradual enforcement of SoD policy.